CA Output Management Web Viewer Security Notice

2011.05.02
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

CA20110420-02: Security Notice for CA Output Management Web Viewer Issued: April 20, 2011 CA Technologies support is alerting customers to security risks associated with CA Output Management Web Viewer. Two vulnerabilities exist that can allow a remote attacker to execute arbitrary code. CA Technologies has issued patches to address the vulnerabilities. The vulnerabilities, CVE-2011-1719, are due to boundary errors in the UOMWV_HelperActiveX.ocx and PPSView.ocx ActiveX controls. A remote attacker can create a specially crafted web page to exploit the flaws and potentially execute arbitrary code. Risk Rating High Platform Windows Affected Products CA Output Management Web Viewer 11.0 CA Output Management Web Viewer 11.5 How to determine if the installation is affected If the end-user controls are at a version that is less than the versions listed below, the installation is vulnerable. File Name Version UOMWV_HelperActiveX.ocx 11.5.0.1 PPSView.ocx 1.0.0.7 Solution CA has issued the following patches to address the vulnerability. CA Output Management Web Viewer 11.0: Apply the RO29119 APAR, and then have end-users allow updated controls to be installed (on next attempt to use impacted feature). CA Output Management Web Viewer 11.5: Apply the RO29120 APAR, and then have end-users allow updated controls to be installed (on next attempt to use impacted feature). References CVE-2011-1719 - CA Output Management Web Viewer ActiveX Control Buffer Overflows Acknowledgement Dmitriy Pletnev, Secunia Research Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com. If you discover a vulnerability in a CA Technologies product, please report your findings to the CA Technologies Product Vulnerability Response Team. support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Thanks and regards, Ken Williams, Director ca technologies Product Vulnerability Response Team ca technologies Business Unit Operations wilja22 (at) ca (dot) com [email concealed]

References:

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7BDED5B724-B500-46DA-A855-B2AF457B5364%7D
http://xforce.iss.net/xforce/xfdb/66904
http://xforce.iss.net/xforce/xfdb/66903
http://www.vupen.com/english/advisories/2011/1066
http://www.securityfocus.com/bid/47521
http://www.securityfocus.com/archive/1/archive/1/5176252000/100/0/threaded
http://securitytracker.com/id?1025424
http://secunia.com/secunia_research/2011-35/
http://secunia.com/secunia_research/2011-34/
http://secunia.com/advisories/43681


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top